Mobile Apps Represent a New Threat Target

Providing clients with the ability to scan mobile applications for vulnerabilities--including applications developed in-house and outsourced is the next step of our mobile strategy," said Marc van Zadelhoff, vice president of strategy and product management for IBM Security Systems, in a statement. "With more than 120,000 of our own employees accessing IBM's network through mobile devices,we have had to focus heavily on developing a way for employees to work safely and securely."

With this move, IBM claims to be the first vendor to offer static application security testing (SAST) for Android applications, which allows clients to conduct their own testing for mobile applications. In the past, for mobile application security testing to be done, clients would have to send their applications and software IP, or intellectual property, to an off-site vendor to test for vulnerabilities. This approach doesn't scale, and the response time is too slow, as mobile applications undergo constant revisions and updates. Organizations need to address mobile application security testing in-house early in the software development life cycle.

In addition to the mobile application testing capabilities, integration with IBM's QRadar Security Intelligence Platform allows for increased Security Intelligence when an application is moved into production. And by correlating known application vulnerabilities with user and network activity, QRadar can automatically raise or lower the priority score of security incidents.

Meanwhile, IBM also is offering a new cross-site scripting (XSS) analyzer, which uses a learning mode to quickly evaluate millions of potential tests from less than 20 core tests. This new XSS analyzer finds more XSS vulnerabilities faster than any previous version of AppScan, Vandenberg said. New static analysis capabilities help companies adopt broad application security practices through simplified on-boarding of applications and empowering nonsecurity specialists to test faster than with prior releases.

IBM also offers predefined and customizable templates that provide development teams the ability to quickly focus on a rule set prioritized by their security teams, helping corporations focus on key issues for them across their organization.

In addition to the QRadar integration, AppScan offers integration points with IBM Security Network IPS and IBM Security SiteProtector,and is a regular complement sold with IBM Guardium and IBM Security Access Management solutions for end-to-end application security. The approach is to provide a comprehensive and integrated security framework for applications across the development and production lifecycle.

Vandenberg said in a mobile environment, developers not only have to be concerned with the management and security of the mobile device, but also secure access to the network and the security of the mobile apps themselves.

However, Jack Danahy, director for advanced security for IBM Security Systems, said mobile developers tend to be much more security-conscious than typical enterprise developers. Whats changed is that break-ins are so much a part of their public consciousness that they just naturally deal with security more.

The young crop of developers has never known things any other way, Vandenberg agreed. There needs to be a security requirements discussion before coding is ever done

What were looking for aspirationally is that requirements for security obtain peer status with functional requirements.

Darryl K. Taft covers the development tools and developer-related issues beat from his office in Baltimore. He has more than 10 years of experience in the business and is always looking for the next scoop. Taft is a member of the Association for Computing Machinery (ACM) and was named 'one of the most active middleware reporters in the world' by The Middleware Co. He also has his own card in the 'Who's Who in Enterprise Java' deck.